American Airlines Group Inc. has suffered a data breach in which personal details of customers and employees were potentially stolen.

Disclosed by AA in a letter to victims on Sept. 16, the breach is described as involving an authorized actor compromising the email accounts of a limited number of AA team members in July. The airline said that upon discovering the incident, it secured the email accounts and engaged a third-party cybersecurity forensics firm to investigate the incident’s nature and scope.

The investigation was inconclusive, finding that certain personal information was in the email accounts, but there was no evidence that personal information was misused. However, the airline added that it was informing potential victims of the breach anyway.

Potentially stolen information includes name, date of birth, mailing address, phone number, email address, driver’s license number, passport number and certain medical information. All those potentially exposed are being offered two-year membership of Experian IdentityWorks for identity detection and resolution of identity theft.

Although the vector for the data breach was not immediately disclosed by AA, a spokesperson for the airline told Bleeping Computer Monday that the accounts were compromised in a phishing campaign and that only a “very small number” of team members and customers were affected.

This is not the first time American Airlines has been targeted in a cyberattack. Chinese hackers compromised AA and flight reservation company Sabre Corp. in 2015, resulting in potentially millions of stolen records.

John Gunn, chief executive officer of authentication company Tokenize Inc., told SiliconANGLE that “the reputational damage from this breach will likely far exceed the out-of-pocket losses, especially in an industry where proper precautions and safety are paramount in customers’ selection of which airline they fly with.”

Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., noted that email accounts are still a favorite target of cybercriminals and this is yet another example of email phishing allowing them to take over some accounts.

“While the number of individuals impacted by this may be limited, organizations such as airlines collect and hold relatively sensitive information that could have a significant impact on those victims,” Kron explained. “While the airline states no misuse of the data has occurred so far that they are aware of, it has been a relatively short amount of time and it’s not always known whether that data has been misused or not, so that’s not very comforting for potential victims.”

Photo: Russell Lee/Wikimedia Commons